Added LDAP Draft for Funkwhale

roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2

@@ -5,7 +5,7 @@ server {
 
   location / {
     proxy_http_version 1.1;
-    proxy_pass http://$endpoint_addr:{{ports.localhost.oauth2_proxy_ports[application_id]}};
+    proxy_pass http://$endpoint_addr:{{ports.localhost.oauth2_proxy[application_id]}};
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

roles/docker-bluesky/tasks/main.yml

@@ -7,13 +7,13 @@
   include_tasks: nginx-docker-proxy-domain.yml
   vars:
     domain: "{{ domains.bluesky_api }}"
-    http_port: "{{ ports.localhost.http_ports.bluesky_api }}"
+    http_port: "{{ ports.localhost.http.bluesky_api }}"
 
 - name: "Include tasks for Web domain"
   include_tasks: nginx-docker-proxy-domain.yml
   vars:
     domain: "{{ domains.bluesky_web }}"
-    http_port: "{{ ports.localhost.http_ports.bluesky_web }}" 
+    http_port: "{{ ports.localhost.http.bluesky_web }}" 
 
 # The following lines should be removed when the following issue is closed:
 # https://github.com/bluesky-social/pds/issues/52

roles/docker-bluesky/templates/docker-compose.yml.j2

@@ -6,7 +6,7 @@ services:
         - pds_data:/opt/pds
         - {{pdsadmin_file_path}}:/usr/local/bin/pdsadmin:ro
     ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.bluesky_api}}:3000"
+      - "127.0.0.1:{{ports.localhost.http.bluesky_api}}:3000"
     healthcheck:
       test: ["CMD", "wget", "--spider", "http://127.0.0.1:3000/xrpc/_health"]
       interval: 1m
@@ -27,7 +27,7 @@ services:
         REACT_APP_SITE_NAME: "{{primary_domain | upper}} - Bluesky"
         REACT_APP_SITE_DESCRIPTION: "Decentral Social "
     ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.bluesky_web}}:8100"
+      - "127.0.0.1:{{ports.localhost.http.bluesky_web}}:8100"
     healthcheck:
       test: ["CMD", "sh", "-c", "for pid in $(ls /proc | grep -E '^[0-9]+$'); do if cat /proc/$pid/cmdline 2>/dev/null | grep -q 'bskywebserve'; then exit 0; fi; done; exit 1"]
       interval: 30s

roles/docker-compose/tasks/main.yml

@@ -6,9 +6,9 @@
     domain: "{{ domains[application_id] if application_id in domains else None }}"
   # Default case: One domain exists. Some applications like matrix don't have an default domain
 
-- name: "Set global http_port to {{ ports.localhost.http_ports[application_id] }}"
+- name: "Set global http_port to {{ ports.localhost.http[application_id] }}"
   set_fact:
-    http_port: "{{ ports.localhost.http_ports[application_id] if application_id in ports.localhost.http_ports else None }}"
+    http_port: "{{ ports.localhost.http[application_id] if application_id in ports.localhost.http else None }}"
   # Default case: One port exists. Some applications like matrix don't have an default port
 
 - name: "remove {{ docker_compose.directories.instance }} and all its contents"

roles/docker-funkwhale/templates/env.j2

@@ -99,19 +99,21 @@ DJANGO_SETTINGS_MODULE=config.settings.production
 # Generate one using `openssl rand -base64 45`, for example
 DJANGO_SECRET_KEY={{funkwhale_django_secret}}
 
+{% if ldap_enabled | bool %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.
 # Have a look at https://docs.funkwhale.audio/installation/ldap.html for
 # detailed instructions.
 
-# LDAP_ENABLED=False
-# LDAP_SERVER_URI=ldap://your.server:389
-# LDAP_BIND_DN=cn=admin,dc=domain,dc=com
-# LDAP_BIND_PASSWORD=bindpassword
-# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0}))
-# LDAP_START_TLS=False
-# LDAP_ROOT_DN=dc=domain,dc=com
+LDAP_ENABLED=True
+LDAP_SERVER_URI={{ldap.server.uri}}
+LDAP_BIND_DN={{ldap.dn.administrator}}
+LDAP_BIND_PASSWORD={{applications.ldap.administrator_database_password}}
+LDAP_SEARCH_FILTER=(|(cn={0})(mail={0})) # Needs to checked 
+LDAP_START_TLS=False
+LDAP_ROOT_DN={{ldap.dn.root}}
+{% endif %}
 
 FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist
 

roles/docker-funkwhale/vars/main.yml

@@ -2,7 +2,7 @@ application_id:                                 "funkwhale"
 nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
 database_password:                              "{{funkwhale_database_password}}"
 database_type:                                  "postgres"
-ldap_network_enabled:                           "{{ldap.enabled}}"
+ldap_enabled:                                   True
 media_root:                                     "/srv/funkwhale/data/"
 static_root:                                    "{{media_root}}static"
 celeryd_concurrency:                            1

roles/docker-gitea/templates/docker-compose.yml.j2

@@ -7,7 +7,7 @@ services:
     image: "gitea/gitea:{{applications.gitea.version}}"
     ports:
       - "127.0.0.1:{{http_port}}:3000"
-      - "{{ports.public.ssh_ports[application_id]}}:22"
+      - "{{ports.public.ssh[application_id]}}:22"
     volumes:
       - data:/data
       - /etc/timezone:/etc/timezone:ro

roles/docker-gitea/templates/env.j2

@@ -5,7 +5,7 @@ DB_HOST={{database_host}}:{{database_port}}
 DB_NAME={{database_name}}
 DB_USER={{database_username}}
 DB_PASSWD={{database_password}}
-SSH_PORT={{ports.public.ssh_ports[application_id]}}
+SSH_PORT={{ports.public.ssh[application_id]}}
 SSH_LISTEN_PORT=22
 DOMAIN={{domain}}
 SSH_DOMAIN={{domain}}

roles/docker-gitlab/templates/docker-compose.yml.j2

@@ -10,7 +10,7 @@ services:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     ports:
       - "127.0.0.1:{{http_port}}:80"
-      - "{{ports.public.ssh_ports[application_id]}}:22"
+      - "{{ports.public.ssh[application_id]}}:22"
     volumes:
       - 'config:/etc/gitlab'
       - 'logs:/var/log/gitlab'

roles/docker-gitlab/templates/env.j2

@@ -2,7 +2,7 @@
 {% set config_lines = [
   "external_url 'https://{{ domain }}'",
   "postgresql['enable']=false",
-  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh_ports[application_id] }}",
+  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}",
   "gitlab_rails['db_adapter']='postgresql'",
   "gitlab_rails['db_encoding']='utf8'",
   "gitlab_rails['db_host']='{{ database_host }}'",

roles/docker-keycloak/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:  	      "keycloak"
 database_type:          "postgres"
 database_password:      "{{keycloak_database_password}}"
-ldap_network_enabled:   "{{ldap.enabled}}"
+ldap_enabled:   True

roles/docker-ldap/handlers/main.yml

@@ -1,6 +1,6 @@
 - name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
   shell: >
-    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
+    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
   loop: "{{ ldif_files }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"

roles/docker-ldap/tasks/main.yml

@@ -11,13 +11,13 @@
     src:  "nginx.stream.conf.j2" 
     dest: "{{nginx.directories.streams}}{{domain}}.conf"
   notify: restart nginx
-  when: applications.ldap.openldap.expose_to_internet | bool
+  when: applications.ldap.openldap.network.public | bool
 
 - name: Remove {{domain}}.conf if LDAP is not exposed to internet
   file:
     path: "{{ nginx.directories.streams }}{{ domain }}.conf"
     state: absent
-  when: not applications.ldap.openldap.expose_to_internet | bool
+  when: not applications.ldap.openldap.network.public | bool
 
 - name: create docker network for LDAP, so that other applications can access it
   docker_network:

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -23,19 +23,18 @@ services:
 {% endif %}
   openldap:
     image: bitnami/openldap:{{applications.ldap.openldap.version}}
-    container_name: openldap
+    container_name: {{applications.ldap.openldap.hostname}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-{% if applications.ldap.openldap.expose_to_internet | bool %}
+{% if applications.ldap.openldap.network.public | bool %}
     ports:
-      - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}}               # Expose just on localhost so that nginx stream proxy can use it
-      - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
+      - 127.0.0.1:{{ports.localhost.ldap.openldap}}:{{ldap_docker_port}}  # Expose just on localhost so that nginx stream proxy can use it
 {% endif %}
     volumes:
       - 'data:/bitnami/openldap'
-      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
+      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
     healthcheck:
       test: >
-        ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}"
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}"
       interval: 30s
       timeout: 10s
       retries: 3

roles/docker-ldap/templates/env.j2

@@ -9,18 +9,18 @@ LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
 LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
 
 ## Admin
-LDAP_ADMIN_DN=              {{ldap_admin_dn}}               # Not well documented. Don't know if this has an effect
+LDAP_ADMIN_DN=              {{ldap.dn.administrator}}       # Not well documented. Don't know if this has an effect
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
   
 # Network
-LDAP_PORT_NUMBER=           {{ldap_localhost_port}}         # Route to default port
+LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port
 LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{ldap_secure_localhost_port}}  # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_LDAPS_PORT_NUMBER=     {{ldaps_docker_port}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
 
 # Security
 LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.

roles/docker-ldap/templates/lam.env.j2

@@ -7,7 +7,7 @@ LAM_PASSWORD=               {{applications.ldap.lam.administrator_password}}
 LAM_CONFIGURATION_DATABASE= files                                                   # configuration database (files or mysql) @todo implement mariadb
 
 # LDAP Configuration
-LDAP_SERVER=                {{applications.ldap.openldap.domain}}                   # domain of LDAP database root entry, will be converted to dc=...,dc=...
-LDAP_BASE_DN=               {{ldap_root}}                                           # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap_admin_dn}}                                       # LDAP admin user (set as login user for LAM)
+LDAP_SERVER=                {{ldap.server.domain}}                                  # domain of LDAP database root entry
+LDAP_BASE_DN=               {{ldap.dn.root}}                                        # LDAP base DN to overwrite value generated by LDAP_DOMAIN
+LDAP_USER=                  {{ldap.dn.administrator}}                               # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP admin password

roles/docker-ldap/templates/nginx.stream.conf.j2

@@ -1,6 +1,6 @@
 server {
-    listen {{ldap_secure_internet_port}} ssl;
-    proxy_pass 127.0.0.1:{{ldap_localhost_port}};
+    listen {{ports.public.ldaps.openldap}}ssl;
+    proxy_pass 127.0.0.1:{{ports.localhost.ldap.openldap}};
 
     # SSL Configuration for LDAPS
     {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}

roles/docker-ldap/vars/main.yml

@@ -1,10 +1,8 @@
-application_id:               "ldap"
-ldap_root:                    "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
-ldap_admin_dn:                "cn={{applications.ldap.administrator_username}},{{ldap_root}}"
-ldap_secure_localhost_port:   1636
-ldap_secure_internet_port:    636
-ldap_localhost_port:          389
-ldap_network_enabled:         "{{ldap.enabled}}"
+application_id:       "ldap"
+ldaps_docker_port:    636
+ldap_docker_port:     389
+ldap_enabled:         True
+
 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true

roles/docker-matrix-compose/tasks/main.yml

@@ -7,7 +7,7 @@
   include_tasks: certbot-and-globals.yml
   vars:
     domain:     "{{domains.matrix_synapse}}"
-    http_port:  "{{ports.localhost.http_ports.matrix_synapse}}"
+    http_port:  "{{ports.localhost.http.matrix_synapse}}"
 
 - name: create {{well_known_directory}}
   file:
@@ -26,14 +26,14 @@
     dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf"
   vars:
     # domain:     "{{domains.matrix_synapse}}" This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
-    http_port:  "{{ports.localhost.http_ports.matrix_synapse}}"
+    http_port:  "{{ports.localhost.http.matrix_synapse}}"
   notify: restart nginx
         
 - name: "include tasks nginx-docker-proxy-domain.yml for element"
   include_tasks: nginx-docker-proxy-domain.yml
   vars:        
     domain:     "{{domains.matrix_element}}"
-    http_port:  "{{ports.localhost.http_ports.matrix_element}}"
+    http_port:  "{{ports.localhost.http.matrix_element}}"
 
 - name: include create-and-seed-database.yml for multiple bridges
   include_tasks: create-and-seed-database.yml

roles/docker-matrix-compose/templates/docker-compose.yml.j2

@@ -19,7 +19,7 @@ services:
       - SYNAPSE_SERVER_NAME={{domains.matrix_synapse}}
       - SYNAPSE_REPORT_STATS=no
     ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.matrix_synapse}}:8008"
+      - "127.0.0.1:{{ports.localhost.http.matrix_synapse}}:8008"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/"]
       interval: 1m
@@ -39,7 +39,7 @@ services:
     volumes:
       - ./element-config.json:/app/config.json
     ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.matrix_element}}:80"
+      - "127.0.0.1:{{ports.localhost.http.matrix_element}}:80"
     healthcheck:
       test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/"]
       interval: 1m

roles/docker-matrix-compose/templates/nginx.conf.j2

@@ -1,7 +1,7 @@
 server {
     # Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary
     {% set domain = domains.matrix_synapse %}
-    {% set http_port = ports.localhost.http_ports.matrix_synapse %}
+    {% set http_port = ports.localhost.http.matrix_synapse %}
 
     server_name {{domain}};
     {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

roles/docker-nextcloud/vars/main.yml

@@ -4,4 +4,4 @@ database_password:  	                "{{nextcloud_database_password}}"
 database_type:                        "mariadb"
 nextcloud_application_container_name: "nextcloud-application"
 nextcloud_nginx_container_name:       "nextcloud-web"
-ldap_network_enabled:                 "{{ldap.enabled}}"
+ldap_enabled:                         True

roles/docker-oauth2-proxy/templates/container.yml.j2

@@ -4,6 +4,6 @@
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     ports:
-      - {{ports.localhost.oauth2_proxy_ports[application_id]}}:4180/tcp
+      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
     volumes:
       - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"

roles/docker-openproject/vars/main.yml

@@ -15,4 +15,4 @@ dummy_volume:                                 "{{docker_compose.directories.volu
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
 oauth2_proxy_active:                          true
 
-ldap_network_enabled:                         "{{ldap.enabled}}"
+ldap_enabled:                                 True

roles/docker-snipe_it/templates/docker-compose.yml.j2

@@ -10,7 +10,7 @@ services:
     volumes:
       - data:/var/lib/snipeit
     ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.snipe_it}}:80"
+      - "127.0.0.1:{{ports.localhost.http.snipe_it}}:80"
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
 

roles/nginx-docker-reverse-proxy/templates/domain.conf.j2

@@ -13,7 +13,7 @@ server
 
   # OAuth2-Proxy-Endpoint
   location /oauth2/ {
-      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy_ports[application_id]}};
+      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;